Use kinit and a domain user and password to acquire a certificate.# kinit administratorEnter the password when prompted.

Use klist to list the kerberos tickets.

However, once I have this working, I don’t know how to change authentication using nsswitch.conf and /etc/pam.d/sshd or system to make it work.

I assumed I wouldn’t need to change nsswitch.conf and that for Step 4 I would just have to uncomment the pam_krb5.so lines in the the /etc/pam.d/sshd and /etc/pam.d/system but unfortunately, that isn’t enough. Authentication is not working.

I can’t seem to find much documentation on pam and kerberos in FreeBSD. I have tried to add “debug” to the lines in the /etc/pam.d/sshd and /etc/pam.d/system but if that is adding more logging then I am not seeing it.

Now I am following up as promised with how to integrate this with Active Directory and AD’s LDAP. You need to know your LDAP Active Directory info. If you don’t, you need to get it. Or else maybe your domain is generic enough that looking at my examples will get you there.

Log in to dotProject.

Click on System Admin | Default User Preferences.

We will make changes to the following sections:

User Authentication Settings

LDAP Settings

These section are show in this screen shot. After this screen shot instructions on configuring these sections are provided.

Scroll to the section called User Authentication Settings.

Change the User Authentication Method setting to LDAP.

Configure the LDAP Settings section.

For LDAP Host, Enter the IP address of your Active Directory server.

Do not change the LDAP Port or LDAP Version settings.

On a default Active Directory installation, set the LDAP Base DN to the following:

CN=Users,DC=YourDomain,DC=tld

For example, the lab I am demoing this with is LD.Lab so it would be this:

CN=Users,DC=ld,DC=lab

For LDAP User Filter enter the following:

(sAMAccountName=%USERNAME%)

For the LDAP Search User, enter a domain user:

CN=John Doe,CN=Users,DC=ld,DC=lab

SUGGESTION: Create a service account on the domain with a really intense password and almost no rights, except of course the right to search LDAP so it can be an LDAP Search User.

Obviously for the LDAP Search User Password, enter the password for the LDAP Search User.

IMPORTANT! You must update this password here when the user’s changes in Active Directory (sorry for the “No duh” moment but it had to be said).

Scroll down and on the bottom right of the Default User Preferences page, click Save.

Go ahead and try to login as a Domain User.

Note On Changing Permissions Domain Users may appear to get the Administrator role, but this is not really the case. They only get the Anonymous role when they first login. See my forum post here:How to make an LDAP user an administrator?

Also, it appears that if you want all users who login to get more permissions, then edit the Anonymous role or modify every user individually. (Yeah, so the project needs some features in this area…maybe you want to become a contributor and develop it yourself?)

Copyright ® Rhyous.com – Linking to this article is allowed without permission and as many as ten lines of this article can be used along with this link. Any other use of this article is allowed only by permission of Rhyous.com.

So I am not going to cover installing Bugzilla. Just how to get it to connect to Active Directory. Mostly the documentation was there, but there was not really a good example of actual implementation. If the documentation doesn’t provide an example (preferably multiple real world exmaples) then it is poor documentation. Yes, Bugzilla, you are free to take my documentation and put it in your manual, or link to this page.

Gather the information from your production environment, especially the LDAP information for your Active Directory configuration:

Bugzilla Server name:

http://myserver/bugzilla

The LDAP Servers (Active Directory servers):

dc1.corp.mydomain.tld, dc2.corp.mydomain.tld

The LDAP Bind DN info of a user that can read Active Directory. (This can be any active directory user, as long as this user can read active directory’s users, which pretty much an user no matter how locked down can do.)So my username on the domain is JBarneck, but that is not what to use here. The LDAP Bind DN of my user name is like this (with company secret information changed).

The LDAP Base DN, which is the LDAP information for the OU that your users are in. My LDAP Base DN for the OU I am in is this (again with company secret information changed). This is exactly what I pasted into my configuration, backslash and all.

OU=MyDepartment,OU=MyCity,DC=corp,DC=MyDomain,DC=tld

The LDAPuidattribute, which is sAMAccountName and I don’t know if you can changed in Active Directory.

sAMAccountName

Note: I’ll be honest. I didn’t have access to a domain controller or Active Directory so I used a tool called LDAPWhoAmI.exe (with an accompanying ldapinfo.dll) that is included in LANDesk’s Management Suite software. I can’t give you these files. But if you wanted to do a trial of LANDesk Management Suite, you could download a Management Suite trial (which is a gig or so) and extract it and get these files. You don’t have to install, just extract and search for the two files. Copy them to a Windows workstation on your domain, then open a command prompt and change to the directory where LDAPWhoAmI.exe and ldapinfo.dll was copied and run LDAPWhoAmI.exe.

Log into Bugzilla as an administrator. There is not default administrative user for Bugzilla. You should have created a user account as part of the install.

Enable the LDAP module.

Click on Administration from the top menu bar.

Click on Parameters.

Click on User Authentication on the left menu bar.

Scroll down to the user_verify_class setting.

Highlight LDAP and click the up arrow so that it is first in the list. I left DB enabled. I left Radius disabled.

At the bottom of the web page (yes you have to scroll all the way to the bottom) click the Save Changes button.

Either log out or use a different browser or a different machine and connect to your bugzilla url:

http://myserver/bugzilla

Log in using an Active Directory account. I was unsure if I was supposed use an email or my username and it worked using my Domain user name, JBarneck, and my Domain password.

I hope this helps all of you get Bugzilla to authenticate using Active Directory much faster than if you had to scour the web for problems.

Copyright ® Rhyous.com – Linking to this article is allowed without permission and as many as ten lines of this article can be used along with this link. Any other use of this article is allowed only by permission of Rhyous.com.

My other blogs

Entries (RSS) and Comments (RSS). Copyright ® Rhyous.com Linking to content on this site is allowed without permission and as many as ten lines of any article can be used along with such link. Any other use of the content is allowed only by permission of Rhyous.com.